Add scope ordinality and translations. Process oauth tokens and limit scopes accordingly.
This commit is contained in:
jakedt
parent
25ceb90fc6
commit
e74eb3ee87
8 changed files with 137 additions and 31 deletions
56
auth/auth.py
56
auth/auth.py
|
|
@ -1,13 +1,16 @@
|
|||
import logging
|
||||
|
||||
from functools import wraps
|
||||
from datetime import datetime
|
||||
from flask import request, _request_ctx_stack, session
|
||||
from flask.ext.principal import identity_changed, Identity
|
||||
from base64 import b64decode
|
||||
|
||||
from data import model
|
||||
from data.model import oauth
|
||||
from app import app
|
||||
from permissions import QuayDeferredPermissionUser
|
||||
import scopes
|
||||
|
||||
from util.http import abort
|
||||
|
||||
|
|
@ -49,7 +52,8 @@ def process_basic_auth(auth):
|
|||
ctx = _request_ctx_stack.top
|
||||
ctx.authenticated_user = robot
|
||||
|
||||
identity_changed.send(app, identity=Identity(robot.username, 'username'))
|
||||
deferred_robot = QuayDeferredPermissionUser(robot.username, 'username')
|
||||
identity_changed.send(app, identity=deferred_robot)
|
||||
return
|
||||
except model.InvalidRobotException:
|
||||
logger.debug('Invalid robot or password for robot: %s' % credentials[0])
|
||||
|
|
@ -62,8 +66,7 @@ def process_basic_auth(auth):
|
|||
ctx = _request_ctx_stack.top
|
||||
ctx.authenticated_user = authenticated
|
||||
|
||||
new_identity = QuayDeferredPermissionUser(authenticated.username,
|
||||
'username')
|
||||
new_identity = QuayDeferredPermissionUser(authenticated.username, 'username')
|
||||
identity_changed.send(app, identity=new_identity)
|
||||
return
|
||||
|
||||
|
|
@ -94,18 +97,55 @@ def process_token(auth):
|
|||
token_data = model.load_token_data(token_vals['signature'])
|
||||
|
||||
except model.InvalidTokenException:
|
||||
logger.warning('Token could not be validated: %s' %
|
||||
token_vals['signature'])
|
||||
logger.warning('Token could not be validated: %s', token_vals['signature'])
|
||||
abort(401, message="Token could not be validated: %(auth)", issue='invalid-auth-token',
|
||||
auth=auth)
|
||||
|
||||
logger.debug('Successfully validated token: %s' % token_data.code)
|
||||
logger.debug('Successfully validated token: %s', token_data.code)
|
||||
ctx = _request_ctx_stack.top
|
||||
ctx.validated_token = token_data
|
||||
|
||||
identity_changed.send(app, identity=Identity(token_data.code, 'token'))
|
||||
|
||||
|
||||
def process_oauth(auth):
|
||||
normalized = [part.strip() for part in auth.split(' ') if part]
|
||||
if normalized[0].lower() != 'bearer' or len(normalized) != 2:
|
||||
logger.debug('Invalid oauth bearer token format.')
|
||||
return
|
||||
|
||||
token = normalized[1]
|
||||
validated = oauth.validate_access_token(token)
|
||||
if not validated:
|
||||
logger.warning('OAuth access token could not be validated: %s', token)
|
||||
authenticate_header = {
|
||||
'WWW-Authenticate': ('Bearer error="invalid_token", '
|
||||
'error_description="The access token is invalid"'),
|
||||
}
|
||||
abort(401, message="OAuth access token could not be validated: %(token)",
|
||||
issue='invalid-oauth-token', token=token, header=authenticate_header)
|
||||
elif validated.expires_at <= datetime.now():
|
||||
logger.info('OAuth access with an expired token: %s', token)
|
||||
authenticate_header = {
|
||||
'WWW-Authenticate': ('Bearer error="invalid_token", '
|
||||
'error_description="The access token expired"'),
|
||||
}
|
||||
abort(401, message="OAuth access token has expired: %(token)", issue='invalid-oauth-token',
|
||||
token=token, headers=authenticate_header)
|
||||
|
||||
# We have a valid token
|
||||
scope_set = scopes.scopes_from_scope_string(validated.scope)
|
||||
logger.debug('Successfully validated oauth access token: %s with scope: %s', token,
|
||||
scope_set)
|
||||
|
||||
ctx = _request_ctx_stack.top
|
||||
ctx.authenticated_user = validated.authorized_user
|
||||
|
||||
new_identity = QuayDeferredPermissionUser(validated.authorized_user.username, 'username',
|
||||
scope_set)
|
||||
identity_changed.send(app, identity=new_identity)
|
||||
|
||||
|
||||
def process_auth(f):
|
||||
@wraps(f)
|
||||
def wrapper(*args, **kwargs):
|
||||
|
|
@ -115,6 +155,7 @@ def process_auth(f):
|
|||
logger.debug('Validating auth header: %s' % auth)
|
||||
process_token(auth)
|
||||
process_basic_auth(auth)
|
||||
process_oauth(auth)
|
||||
else:
|
||||
logger.debug('No auth header.')
|
||||
|
||||
|
|
@ -126,8 +167,7 @@ def extract_namespace_repo_from_session(f):
|
|||
@wraps(f)
|
||||
def wrapper(*args, **kwargs):
|
||||
if 'namespace' not in session or 'repository' not in session:
|
||||
logger.error('Unable to load namespace or repository from session: %s' %
|
||||
session)
|
||||
logger.error('Unable to load namespace or repository from session: %s' % session)
|
||||
abort(400, message="Missing namespace in request")
|
||||
|
||||
return f(session['namespace'], session['repository'], *args, **kwargs)
|
||||
|
|
|
|||
Reference in a new issue